Thursday, January 7, 2010

Know To Configure RDP encryption via Group Policy for Windows servers

For Windows servers, Remote Desktop Protocol (RDP) or Terminal Services is the de facto access tool. For administrators and users alike, this built-in protocol allows systems to be accessed with ease starting with Windows 2000.
One of the key configuration points is the Encryption setting for remote desktop. The default encryption level is Medium for Windows Server 2003 systems and Client Compatible for Windows Server 2008 R2 systems. (Note: RDP encryption is not the same as Network Level Authentication, which is an enhancement to RDP communication.) Figure  shows the RDP encryption settings on a Windows Server 2008 R2 system.

The best way to centrally manage RDP encryption for Windows Server 2003 and newer systems is to implement a Group Policy Object (GPO). To create a GPO, browse to Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Encryption And Security. This is where an encryption policy can be set and deployed to the managed servers in Active Directory.

This is also a configuration item that can help you on a PCI audit if one is in your future. Requirement 2.3 states to: “Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access.” For Windows Servers, setting RDP to High will address this requirement for your audit; it’s also a positive step to securing your environment.

0 Responses to “Know To Configure RDP encryption via Group Policy for Windows servers”